Commenting on the new requirements, the Commissioner stated “I am pleased that the Minister has introduced new legal requirements which recognise that the challenges to the maintenance of individual privacy are becoming increasingly complex in today’s electronic age. Individuals must be able to enjoy the benefits of new technology while at the same time remaining in control of their privacy. These new requirements give individuals new rights which my Office will enforce.
I particularly welcome the fact that the Minister has responded to public concern over data breach incidents by introducing strict requirements for service providers in this area with the ability for my Office to bring prosecutions where such requirements are not followed. I am also pleased that individuals can no longer be bothered on their mobile phones by direct marketers unless they have given their prior agreement.”
The main new requirements are:
- Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
- More stringent requirements for user consent for the placing of “cookies” on electronic devices
- Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls
All telecommunications companies and internet service providers are now required to notify the Data Protection Commissioner of every data breach involving a subscriber. They are also required to notify customers in all cases where there is a risk their data may be accessed. Failure to do so can lead to prosecution by the Commissioner with a fine of up to €5,000 per instance. The Commissioner can also for the first time prosecute companies in this area for allowing a data breach with fines on indictment of up to €250,000.
Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.
Electronic Marketing & Phonecalls
In a strengthening of the laws in this area, it is now an offence for any company or entity to phone a person on their mobile phone for a marketing purpose without having obtained their prior consent for such contact. The requirements now extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.
Data Protection Commissioner launches his Annual Report for 2010 including special investigation on insurance data
Insurance Link Claims Database
The Commissioner is publishing the findings of the most wide ranging investigation yet undertaken by his Office of a database of personal data kept by the insurance sector known as Insurance Link. This is a shared claims database that allows member organisations to share and cross-reference their insurance claims data. At the time of the investigation it contained details of almost two and a half million claims. The investigation identified a major lack of transparency with regard to Insurance Link and that far too many individuals in insurance companies and other entities had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed in the report.
Data Security Breaches
The Commissioner reports on his publication of a data security breach Code of Practice. This was one of the recommendations of a Working Group set up by the previous Minister for Justice, Equality and Law Reform which also recommended a strengthening of our data protection laws to provide for penalties for serious breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It alsoencourages organisations to voluntarily report incidents to the Commissioner’s Office. 410 data security breach incidents were reported to the Office in 2010, a 350% increase on the number of reports received in the previous 12 months (there were 119 reports in 2009). This large increase in reporting is a consequence of the more exacting demands of the Code of Practice. The Commissioner reports on serious data security breach incidents that occurred in 2010 involving the GAA and SelfCatering.ie (see pages 77 and 79 of the Report). The report also includes details of an ongoing investigation of a breach affecting personal data held by the Department of Social Protection.
Data Sharing in the Public Sector
The Commissioner is publishing a set of guidelines for public sector agencies that wish to share personal data in the public interest – for example, to prevent tax evasion and other types of fraud. Transparency and proportionality are the key guiding principles. The sharing should be explicitly provided for by law. The public sector customer should know what personal data may be shared. The extent of sharing should be limited to what is necessary to achieve the public interest objective. The disclosed data should benefit from a high level of security and be securely destroyed when no longer needed.
The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces and in a small village, Culfadda in Sligo are detailed.
The report outlines concerns which arose following audits of charities. The report also provides information on positive engagements with the National Board for Safeguarding Children and the Catholic Church, the HSE in relation to its child welfare work in Limerick City and the Irish Council for General Practitioners.
The Commissioner’s report includes case studies of a number of investigations including:
· Prosecution of Ice Communications Ltd. for failing to comply with legal notices;
· Prosecution of three companies (Free Spirit Hair & Beauty Salon Ltd, Crunch Fitness Ltd and The Black Dog Communications Ltd) for sending marketing text messages;
- Prosecution of Fairco Ltd and Pure Telecom for calling numbers listed on the NDD opt-out register;
- Prosecution of Tesco for email marketing;
- Prosecution of UPC for offences related to unsolicited marketing phone calls;
- Deployment of biometric systems by commercial service providers and schools;
- Use of vehicle tracking systems
- Disclosure of previous defence force career information by the Defence Forces
- Disclosure of personal data by a housing association to a debt collection agent.
Note: The Annual Report is available for download in PDF format from the Data Protection Commissioner’s website: www.dataprotection.ie
A working group established by the Minister for Justice, Equality and Law Reform is at present examining if changes in data protection law are necessary to deal with such data breaches.
In the public sector, recent guidance from the Department of Finance on data security advises departments and agencies to report data breaches immediately to this Office. The guidance issued today by the Commissioner recommends that the same approach be followed by all organisations.
Commenting on the Guidelines, the Commissioner said: "we have seen a welcome trend towards organisations seeking our advice when they suffer a data breach. Our main focus is on preventing such loss of personal data and the distress it can cause to individuals. But we recognise that mistakes do happen and it is vital that organisations are ready to react. That means having plans in place to trace and secure the data that has been compromised, to prevent further security breaches and to warn those affected by the data security breach. It means allocating responsibility for the key decisions that have to be made in such circumstances. By these means organisations will prevent a bad situation from deteriorating further."